ANSWERED Help On Use Of Whonix With OpenVPN (User-VPN-Tor)

[qqa-ni 0]

hello all,

i would like to hear a little bit of advice/assurance on what i am trying to accomplish here.

my goal is to obtain a user-VPN-Tor connection through whonix on a virtual machine. the host is windows 7.

i have been looking at documentation on doing so and it looks complicated yet doable.

 

https://www.whonix.org/wiki/Tunnel_Tor_through_proxy_or_VPN_or_SSH#Tunnel_Tor_through_VPN

https://github.com/adrelanos/VPN-Firewall

 

the idea here is to be able to have a virtual machine running with the above mentioned connection scheme working properly, while allowing the host to communicate freely outside of any VPN or Tor connections. (just through the ISP as normal)

in theory, two "separate" connections. host will be able to communicate with true identity, while at the same time the virtual machine is routed as user-VPN-Tor.

 

as of current my setup is to have all connections on host locked through AirVPN servers and DNS, and then starting the whonix-gateway after VPN connection on host has been established.

 

before attempting this setup, i would like to hear some thoughts (maybe from staff as well) on how secure this setup is, and if it is viable. assuming that i have properly setup the virtual machine to take care of user-VPN-Tor and making sure DNS leaks are prevented (also shortly mentioned on the github link as well).

[OpenSourcerer 1360]

in theory, two "separate" connections. host will be able to communicate with true identity, while at the same time the virtual machine is routed as user-VPN-Tor.

 

Sounds like a traditional TOR over VPN on a VM.

 

There are numerous threads about seamless tunnels, done well with iptables or Firestarter.

[iwih2gk 92]

Yep, really easy to do.

 

If you setup your host and firewall for AirVPN only (both tunnel and dns would be Air only) that would be your first project.  Once you get that locked down, then using a VM with Whonix is the way to go.  I would further suggest that you build the VM using a linux OS.  Whonix/TOR over AirVpn works really well and I get decent speeds for surfing.  As an added bonus your ISP won't know you are using Whonix because all activity is hidden in the obfuscated bridge of the Air tunnel.  Nice!!

[qqa-ni 0]

edit: i've figured everything out through further research and with the help of adrelanos (whonix developer). moderator feel free to delete the thread. thanks all who contributed

 

-original post-

thanks for the responses.

@gigan3rd
is there anything that the iptables thread would be accomplishing that the VPN-Firewall (github link) wouldn't be? that little github script is written by the author of whonix as well, so it feels more tailored toward my usage.

@iwih2gk
that is already my current setup. again, my goal is to have only the virtual machine's traffic go through the VPN and then subsequently through Tor (via whonix-gateway). while at the SAME time, i am free to use the host OS with my true identity.



i suppose i should have addressed my main concerns in the first post. with regards to the setup i want to achieve, i just need to know whether or not there is a risk of traffic leaking between the host and virtual machine, which would compromise my entire setup. and whether or not there will be any hints of tor/whonix usage leaking through the VPN with this setup.

furthermore (i would assume not, but asking to be sure), is there a need to take care of any DNS or other network settings on the host with this setup?

maybe this text visual will help clarify for anyone confused as to what i am trying to do:

.............--> unmasked connection (true identity, through ISP)
............/
host OS
............\
.............--> virtual machine --> VPN --> Tor


thanks again for all responses.

[OpenSourcerer 1360]

edit: i've figured everything out through further research and with the help of adrelanos (whonix developer). moderator feel free to delete the thread. thanks all who contributed

 

Nobody ever deletes posts or even threads. Best thing one can do is marking the thread as answered. Done by clicking Mark as solved in the bottom right corner of the post which helped you. In this case, marking your own post as the best solution is a good idea, too, since you got it done by contacting a whonix developer.

[iwih2gk 92]

It is very possible to accomplish what you want BUT I find it risky to mix true anonymous whonix usage with other usage on the same host/VM machine.  That is a personal conflict for me because I don't trust myself not to screw up when in a hurry or having a "brain fart" of sorts.  Assuming you can get past the part where you have an accident without thinking - the task would be easy.

 

Plus (a personal choice on my end) I NEVER use my host linux OS for anything other than hosting.  All internet activity happens in the VM's, which are VPN and TOR combinations.

 

If I was going to do what you describe I would create a locked down system such as what I have already.  Then to get out on my normal ISP I would use two small VM's.  First, pfsense for the connection to the raw ISP.  Second, a linux VM bridged to the private pfsense adapter so that it cannot communicate with the other VM's ever.  I don't know if you have ever used pfsense but it allows you to create a second LAN which is private and separate.  Any VM that doesn't have the pfsense private adapter cannot communicate through the pfsense VM.   Make sense?  However; I affirm I wouldn't run in this configuration because if anyone can have an accident it would be me!  My .02

[qqa-ni 0]

i suppose i should have a concluding post. there are sure to be others who have same questions.

 

yes, this setup is possible. no risk of leaks between VM and host if your setup IS PROPER.

whonix 8.3 (at time of writing, in testing) has included many updates which improve VPN functionality and setup on whonix-gateway. this includes the earlier mentioned VPN-Firewall.

with this setup there is no need to configure special DNS settings on host nor VM (whonix does not have system DNS enabled). so, with VPN-Firewall to aid, no risk of DNS leaks.

advice: do not use kde's network management to manage/use openVPN. do this in the terminal (root required)

 

safe to test ever since airVPN allowed multiple connections at once. during setup have VPN on host running and you are free to test around in whonix-gateway.